DDoS Protection

Distributed Denial of Service (DDoS) attacks threaten businesses with downtime that can damage their brand and even lead to financial losses. With the many IoT device-powered botnets and for-hire DDoS services, the threat of an attack is greater than ever. F5 provides DDoS protection that makes sense for your architecture.

DDOS ATTACKS

HTTP Flood

In an HTTP flood, the attacker exploits seemingly legitimate HTTP GET or POST requests to attack a web server or application. These attacks typically consume less bandwidth than others but focus on triggering complex server-side processing to bring down the targeted site or app. HTTP floods can sometimes trigger responses from web servers that can turn it into a pipe-saturating volumetric attack.

Slowloris

Slowloris works by opening multiple connections to a web server and sending HTTP requests, none of which are ever completed. Periodically, the attacker sends subsequent HTTP headers for each request, but never actually completes the request. Ultimately, the target server’s maximum concurrent connection pool is filled and legitimate connections are denied.

Heavy URL

During the reconnaissance phase, an attacker will map out the most computationally expensive URLs on a site or application, also known as heavy URLs. Heavy URLs include any URL causing greater server load upon request. The initial HTTP request is relatively small but can take a long time to complete or yield large response sizes. These requests can require the server to load multiple large files or run resource-intensive database queries.

Slow Post

An attacker begins by sending a legitimate HTTP POST request to a web server, in which the header specifies the exact size of the message body that will follow. However, that message body is then sent at an extremely slow rate. Because the message is technically correct and complete, the targeted server attempts to follow all specified rules. If an attacker establishes enough of these POST attacks simultaneously, they consume server resources to the extent legitimate requests are denied.

SSL Renegotiation

This attack takes advantage of an asymmetric workload by requesting a secure connection, and then continuously renegotiating it. This requires a lot of CPU power from the server and can slow current or new connections or even take down the server.

SSL Flood

Attackers send numerous TLS/SSL connection requests with the client never closing the connection. Once the concurrent connection limit is reached, the TLS termination point stops processing traffic, including legitimate requests.

SSL Squeeze

A variant of an SSL renegotiation attack, the squeeze attack continuously attempts to renegotiate the connection handshake, forcing the server to decrypt “junk” requests.

Typical renegotiation attacks multiplex SSL handshakes, which can be mitigated by disabling renegotiation on the server. However, SSL squeeze opens new TCP connections for each request, eventually consuming I/O.

DNS Flood

DNS servers rely on the UDP protocol for name resolution, which (unlike TCP queries) is connectionless. Because confirmation that UDP packets have been received isn’t required, spoofing is easily accomplished.

NXDomain Flood

A variant of the DNS flood, an attacker floods the DNS server with requests for invalid or nonexistent records. Then, the DNS server spends its resources looking for something that doesn't exist instead of serving legitimate requests. The result is that the cache on the DNS server gets filled with bad requests and clients can't find the servers they’re looking for.

DNS Amplification

DNS amplification is a type of reflection attack that manipulates vulnerable internet facing DNS servers, causing them to flood an internet resource with an influx of large UDP packets.

An attacker-controlled botnet is scripted to send small, but specially formed, DNS queries to any publicly available DNS resolver. This elicits a disproportionate response from the DNS resolver. The packet headers also include a spoofed IP address, the IP address of the DDoS target. Upon receiving the query, the open DNS resolvers provide an extremely large response to the target of the attack, which eventually consumes the bandwidth of the internet resource.

SYN Flood

Every client-server conversation begins with a standard three-way handshake. The client sends a SYN packet, the server responds with a SYN-ACK, and the TCP connection is established with a final client ACK. In a SYN flood attack the client sends massive numbers of SYN requests, and never responds to the SYN-ACK messages from the server.

This leaves the server with open connections waiting for responses from the client. Each of these half-open connections is tracked in the TCP connection table, eventually filling the table and blocking additional connection attempts, legitimate or otherwise.

Memcached Amplification

An amplification attack is a type of reflection attack that takes advantage of the ability to send small spoofed packets to services that, as part of their normal operation, will reply back to the target with a much larger response.

Memcached is a database caching system for speeding up websites and networks. Attackers can spoof requests to a vulnerable internet-facing memcached server, which then floods a target with traffic, potentially overwhelming their resources. While the target’s infrastructure is overloaded, new requests can’t be processed and regular traffic can’t access the Internet resource, resulting in denial-of-service.

Other types of amplification attacks include NTP, SSDP, SNMPv2, CharGEN, QOTD, and more.

UDP Flood

UDP is a standard communication protocol across IP networks. Because UDP packets are stateless, they require less error checking and validation in contrast to TCP. A UDP flood attack attempts to overload a server with requests by saturating the connection tables on every accessible server port.

Filling the connection table with these requests prevents legitimate requests from being processed.

IP Fragmentation

IP fragmentation is a process established by design of the IP protocol that breaks packets or datagrams into smaller fragments, so they can pass through network links that have a smaller maximum transmission unit (MTU) limit. The host or stateful security devices receiving the fragments reassembles them into the original datagram. The packets’ or datagrams’ IP header tells the receiver how to reassemble the datagram.

These attacks come in various forms, but all variations attempt to use fragmentation to overwhelm the target server or network node.

WHAT DEFENSE MAKES SENSE?

When considering what protection model is best for your business think about ease of deployment based on where your applications are hosted—in the cloud, on-premises, or a mix of both. Also consider your number of in-house experts and the level of hands-on management you prefer. Your solution can evolve over time as Application Infrastructure Protection needs change.

ON-PREMISES

Maintain direct control of DDoS mitigation by owned and operated devices but remain vulnerable to large attacks that overwhelm bandwidth capacity.

CLOUD-BASED

All traffic flows through F5 Silverline with 24x7 expert monitoring and mitigation of attacks.

HYBRID

Retain control of mitigation timing and techniques but have automated on-demand help from F5 Silverline for the large, bandwidth-consuming attacks.

PROTECT APP INFRASTRUCTURE

Protect the network, DNS, and TLS

Your network, DNS, and TLS aren’t often thought of as a part of an application. But DoS or DDoS attacks against these tiers can render your networks, applications, or other supporting infrastructure inaccessible. Our DDoS protection solutions will ensure attacks against these tiers won’t introduce performance degradation or downtime.

Managing your solution

F5 offers several options for managing your DDoS solution. Several factors, like where the app is hosted and the number of in-house technical experts you have, can help you decide what’s right for your organization.

FULLY MANAGED

A cloud-based scrubbing service, managed by F5 DDoS experts. This service detects and mitigates large-scale attacks targeted at layers 3-7, returning clean traffic to your site or application.

SELF MANAGED

An appliance for your on-premises or collocated data-center that gives you direct control over DDoS attack mitigation. Deploy as a hybrid solution and leverage our cloud-based scrubbing service for bandwidth-saturating volumetric attacks.

Deploying your solution

F5 DDoS solutions are available in several deployment options, so architecture changes aren’t required to mitigate DDoS attacks.

Need help deploying your F5 solution?

Contact F5: 1-888-882-7535

CLOUD-BASED: ALWAYS ON

A managed service that continuously processes all traffic through Silverline cloud-scrubbing services, returning only clean traffic to your site or application.

CLOUD-BASED: ON DEMAND

A cloud-based. managed service that’s pre-configured for your systems and runs on standby. Mitigation can be initiated when under attack.

ON-PREMISES: INLINE

Deploy your on-premises DDoS mitigation appliance inline to all traffic, so that it’s positioned to immediately analyze anomalous traffic and block it if necessary.

ON-PREMISES: OUT OF PATH

Deploy your DDoS mitigation appliance out of path of traffic to ensure traffic traverses the fewest devices possible. When an attack is recognized, your appliance signals your router to re-route traffic through the DDoS mitigation appliance to prevent any service degradation. As the attack subsides, traffic flow will return to its normal path.

How To Buy

SUBSCRIPTION

Specify the number of instances you need and sign up for a 1-, 2-, or 3-year term that includes maintenance and support for updates.

PERPETUAL

Determine the number of instances you need and set up a licensing agreement. Perpetual licenses extend for the lifetime of the product and are available by individual service or in bundles.

ENTERPRISE LICENSE AGREEMENT (ELA)

Available in 1-, 2-, or 3-year terms, ELAs offer flexibility for large organizations to spin virtual instances up or down as needed. Product maintenance and support are included.

PROTECT APPLICATIONS

Layer 7 attacks are much more common in today’s threat landscape. Attackers are increasingly using low-and-slow attacks that target an application’s compute power to degrade performance or bring down an application. These attacks avoid network-level detection and are often unique to a particular application.

Managing your solution

F5 offers several options for managing your DDoS solution. Several factors, like where the app is hosted and the number of in-house technical experts you have, can help you decide what’s right for your organization.

CLOUD-BASED MANAGED SERVICE

A cloud-based scrubbing service, managed by F5 DDoS experts. This service detects and mitigates large-scale attacks targeted at layers 3-7, returning clean traffic to your site or application.

ON-PREMISES HARDWARE

An appliance for your on-premises or collocated data-center that gives you direct control over DDoS attack mitigation.

Deploying your Solution

F5 DDoS solutions are available in several deployment options, so architecture changes aren’t required to mitigate DDoS attacks.

Need help deploying your F5 solution?

Contact F5: 1-888-882-7535

CLOUD-BASED: ALWAYS ON

A cloud-based managed service that continuously processes all traffic through Silverline cloud-scrubbing services, returning only clean traffic to your site or application.

CLOUD-BASED: ALWAYS AVAILABLE

A cloud-based managed service that’s pre-configured for your systems and runs on standby. Mitigation can be initiated when under attack.

ON-PREMISES: INLINE

Deploy your on-premises DDoS mitigation appliance inline to all traffic, so that it’s positioned to immediately analyze anomalous traffic and block it if necessary.

ON-PREMISES: OUT OF PATH

Deploy your DDoS mitigation appliance out of path of traffic to ensure traffic traverses the fewest devices possible. When an attack is recognized, your appliance signals your router to re-route traffic through the DDoS mitigation appliance to prevent any service degradation. As the attack subsides, traffic flow will return to its normal path.